Re: Certificates for DoT and DoH?

Mon, 28 Feb 2022 07:12:19 -0800 


> On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bj...@mork.no> wrote:
> Any recommendations for a CA with a published policy allowing an IP
> address SAN (Subject Alternative Name)?
> Both Quad9 got their certificate from DigiCert:
> 
>        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 
> 2020 CA1
>        Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = 
> *.quad9.net
>            X509v3 Subject Alternative Name:
>                DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP 
> Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP 
> Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP 
> Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, 
> IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
> Address:149.112.112.14, IP Address:149.112.112.15, IP 
> Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
> Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP 
> Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP 
> Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
> Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP 
> Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP 
> Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
> Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
> 
> Does this mean that DigiCert is the only alternative?

I assume not, but we’d already used them for other things, and they didn’t have 
a problem doing it, so we didn’t shop any further.

> And do they really have this offer for ordinary users, or is this also some 
> special
> arrangement for big players only?

No, we didn’t have to do anything special, to the best of my knowledge.

> That does make me wonder how they verify that I'm the rightful owner of
> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
> Or you could ask yourself if you trust a CA with such an offer...

Yep.  DANE is the correct answer.  CAs are not.  But that’s been true for a 
very long time, and people are still trying to pretend that CAs know what’s 
what.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to